June 2012 Archives

Until two days ago I was among those who believed that "Libor" was an authoritative index based on actual transactions, not unchecked estimates, collated once a day, from traders with a vested interest, personal as well as organisational.

I did my original systems analysis training during the run up to Decimalisation in 1971: the first nation-wide opportunity for large scale computer-assisted fraud.

We spent more time learning about how to ensure that the data going into the system was accurate and that what was reported was fit for purpose than about the technologies we would use to process it.

The first "rule" was that unless the data was provided by those who had both a vested interest in its accuracy and the knowledge and the opportunity to check that it was indeed correct accurate, it was likely to be at best  full of random errors and at worst  systemically misleading.

I had already (in 1969) had occasion to see the truth of that statement with regard to the statistics used by the government of day, when a blip caused by the inclusion of three years exports for my previous employer in a single months balance of payments led the then Chancellor of the Exchequer to say, erroneously, that Britain had "turned a corner".

If it is correct that LIBOR was indeed based on subjective inputs from traders as to what they would like to have seen, as opposed to being an objective by product of processing actual transactions, then the real question  is "how on earth was that allowed to happen at all, let alone go on for so long?"

The honesty or otherwise of those involved in the process is almost irrelevent by comparison with the cavalier attitude to  information governance. We can see that elsewhere with regulators obssessing over data protection as opposed to accuracy and integrity. It is as though the errors in the patient record that led to the treatment that caused your death did not matter, provided the Caldecott guardian was happy with its security.

Some of the asumptions underlying the Open Data  White paper  mean this is not an academic, "post mortem question".  Accurate and timely data is of great value. But a mash-up of garbage is toxic sludge.

Unless we once again take seriously the issues of data quality  (and the disciplines of information governance  we are in danger of building a future based not merely on sand  (silicon) but on quick sand (silicon processed sludge). 

Hence the critical importance of the recommendations in the report by EURIM on "Improving the Evidence Base: the Quality of Information", published this time last year

My son has just e-mailed me a link to the BBC article on the final death of the Minitel . He asked if it really was that good. It was. It was better than the BBC article implies because the direct debit giropay system at its heart bypassed most of the opportunities for on-line fraud that look set to cripple the growth of the Internet until they are properly addressed.

So why did the Minitel approach  not take-off globally? The main reason, alluded to in the article, is that the French were proud and possessive of their IPR and tried to sell the technology as a closed system. Meanwhile the fathers of the Internet and of the Web gave away their IPR in a world of open and uncharged standards, bypassing not only ITU but ISO, and unleashing a torrent of creativity.

There is a lesson there for those wondering why Western economic growth is stalled and  the East is leapfrogging the West into a world of multi-cultural, mobile, ubiquitous broadband. 

The 1624 Statute of Monopolies (denying protection other than to the true inventor and then limiting it to 14 years) and Statute of Anne, (similarly limiting copyright), underpinned the First Industrial Revolution - as British Nobles on the Grand Tour pillaged the IPR of continental Europe in much the same way as the East India Company looted that of China and India.   

Hence my belief that we need a shorter, tougher regime for granting intellectual property rights. Once granted, they should be easier and cheaper to police, particularly for small firms and for those who invest in bringing innovation to market. However, as in the early days of patent, those who fail to bring their innovation to market should lose protection, perhaps with some form of compulsory auction of licenses.

Discuss.

I have blogged before on the reluctance of both sides to admit to allow reality to enter current debate on surveillance policy. In one of my subsequent blogs I said that a core problem was the sincerity of those who believe that the legislation is seeking to preserve a mythical status quo during a time of radical technology change.

I think I should expand on this because current publicity for the achievements of Bletchley Park ignores the fact that one of its greatest triumphs, the breaking of the new U Boat codes would not have been possible without American assistance on a scale that has been airbrushed out of history. By the time Shark was broken in December 1942 the US Navy was running more Bombes than Bletchley. The other incredible achievement, the monitoring of German planning for the Battle of Kirsk and the processes used to pursuade Stalin to believe what was being passed to him, was indeed peculiarly British. But that was mainly because  Anglo-American co-operation did not extend much beyond the US Navy until 1944 (US inter-agency politics rather than UK reluctance).

The ability of GCHQ to do what it does depends on a series of Mutual Assistance agreements, the latest of which (the intelligence clauses of which have never been revealed so they may, or may not, be relevant) is due for renewal in 2014.

The effective monitoring of Internet Traffic today depends even more on international co-operation. Giving BT, O2/Vodafone/C&W and 3/Everything Everywhere £200 million a year to retain communications data at teh saem time as tinkering with the legal routines to give access to UK law enforcement to what they have retained (as is proposed in the current bill) is meaningless unless it is part of much broader picture.

Far more significant (and also with more impact on UK competitiveness) are the requirements on Banks, Payment services and Transaction Processing operations to retain data in case a regulator might want it.

Far more significant to those concerned about personal privacy are the advertising-funded business models of major ISPs and access, under the Patriot Act, for any data stored anywhere by US-based ISPs on non-American Internet users. Once data is stored it can also, or course, also be demanded under court order, civil or criminal.

Now add in the commercial (both legal and illegal) services already available to help Banks and On-line retailers to identify malpractice and track and trace those attacking them and their customers. Now look at the way those services are being used by, for example Iran and Syria, to identify, monitor and "remove" disidents.

Now look through the other end of the telescope at the way we are failing to make effective use of such services to reduce the cost of fraud (with, for example, the same credit cards being used simultaneously around the world for days or weeks before they are flagged by card operators) or to identify and remove those preying on the vulnerable (from children to silver surfers).  Also take a look at how the Internet really works, "a cartel masquerading as anarchy" remains my favourite description, and at the forces driving the transition to IPV6.  

Now perhaps you understand my question.   

As detail emerges to confirm the scale, nature and source of the problems faced by RBS and the impact on its customers we an begin to ponder the consequences, including for HMG  aspirations to move its dealings with the most vulnerable in society not only on-line, but reliant on call centres and support staff based on the other side of the world. 

Cabinet Office is in the process of organising the frameworks under which the next generation of central government services will be procured. Some have been announced, others are just going out to tender. But what will be the effect on public confidence of last weeks public and small business experience, if the industry closes ranks professionally and says "it was just one of those things that happen in todays complex on-line world".  

Last week I agreed to help organise an exercise on the nature of trust in the on-line world.

That exercise has just become a lot more urgent. It may also have, paradoxically, become  very much easier. This may be one of those moments, like the Tay Bridge Disaster, when an industry is forced to grow up. The failings of cast iron bridges had been shown over 30 years earlier when the Dee Bridge fell down  The basic disciplines of systems engineering for systems to support remote on-line transaction processing are also over 30 years old. That has not prevented each new generation of supposed "computer professionals" from having to relearn the mistakes of their predecessors. The mixing of executable code and data was a firing offence for my generation. It is now deemed "essential" to get the throughput needed.   

The enquiry into the Tay Bridge Disaster, when the Admirality Commissioner of Wrecks over-rode the excuses of the most eminent engineers of the day (including his assessors), changed professional attitudes for ever - albeit not necessarily for good. 

Is this a Tay Bridge moment?

Probably not. Not enough people are dead - although if RBS has to be put down as its customers walk away and the rest of us go back to carrying cash reserves in case our Cards stop working ... 

I have just been reading allegations on Guido Fawkes (midway down the comment stream below a picture of Osborne greeting one of the EU's prettier finance moinsiters) that the failed software upgrade which caused the systems problems at Natwest was a direct result of transferring batch mainframe maintenance to India. If that is correct, it will prove to have been one of the most expensive cost cutting programmes ever. It is not just the short term customer suffering and consequent compensation claims but the loss of confidence.

The "know your customer" requirements that get in the way of banking competition in the UK will prevent an immediate flight of business to those who still retain such operations within the UK (who?) but others will fear that other banks are now similarly vulnerable and this was typical of the accidents waiting to happen. As it is we will have a dent in confidence in the UK financial system and a ritual hand-wringing that will probably add another layer of unnecessary regulation.

The real lesson is, however, to do with the consequences of running down the UK IT skills base.  

A number of commentators seem to think that future cuts in the Civil Services will lead to an increase in outside business and influence . In other words they think the policy is nominal cuts with spend transferred to contractors and outsource suppliers.

But what if Ministers really were and are serious about removing duplication across Whitehall and public sector, about consolidating on to the best of current delivery operations, about doing less but doing it better and about achieving the 30 - 70% savings that most external reviewers have long believed are realistic - not just the nominal 10% negotiated by those who have left at the end of the first round of cuts.    

You may believe that pigs will fly in formation down Whitehall before that agenda is delivered, but the main IT (including consultancy) suppliers to Central Government have made bigger cuts in their sales and sales support teams than Government has been making in its planning and procurement teams. 

What is the difference between Google, Facebook  and Fixed and Mobile Operators monitoring traffic to "improve" their services to paying customers and government plans to pay operators to store communications data in case they might want it for intelligence or law enforcement?

The simplest answer is "Google, Facebook et al do it to make money for themselves. Government does it to make money for suppliers of storage technology."  

If Government has £1.8 bn to help improve the ability of law enforcement to protect us against terrorists, pederasts, hactivists and on-line fraudsters, is the most efficient use of that money to pay UK communications operators to retain communications data for longer?

Ian Grant's latest Broken Telegraph post indicates that the BDUK framework has finally run its course, having delayed the roll out of rural broadband until after Olympics. Whether or not that was the real objective, the cost of that delay will come out soon enough as Britain divides into Broadband haves and have-nots over the summer. Meanwhile the Leveson enquiry puts DCMS in weak position to delay revealing the cost of BDUK itself. Whether it does so by responding to a Freedom of Information Request or Parliamentary Question or waits until the National Audit Office investigates and reports, time is running out - albeit those responsible will have retired before DCMS is dismantled after the Olympics.

The ease with which Westminster and Kensington handled the procurement complexities with which BDUK was supposedly going to assist local authorities and the speed with which the Commission approved the Birmingham network plans and final Cumbrian loss of patience has, however wider implications. It reveals, all too clearly, that Whitehall does not know best when it comes to planning and procurement (and not just of communications). If one were to be to mark UK agencies in order of competance, the best and worst of practice would almost certainly be in Local Government, with Central Government consistantly below average, with some of its worse failures resulting from botched attempts to bring in private sector "expertise" (from BDUK to the Health Service NPfIT and PFI programmes).

This has significant implications as Ministers finally try to take control of spending before the next round of cuts. Now that those who were resisting change until they had got their inflation-proofed pensions have gone, we are left with those who would like to think they still have a career in public service ahead of them, helping the UK recover from economic and fiscal collapse. Most are significantly brighter than the average Special Advisor or Management Consultant but are seriously under-trained in the competancies needed for effective policy
formation and implementation.

I believe in the need to reprofessionalise the Civil Service (a belated implementation of the Fulton report) because we have outsourced too much over the two decades since we lost sight of the objectives behind the 1979 privatisation and liberalisation agenda on which I am still proud to have worked. The recentralisation of Communications policy under New Labour has been every bit as disastrous as that in other areas (e.g. Health) albeit it has not yet been seen to be as spectacularly wasteful. Current ministers are similarly carrying the blame for their inheritance, including of civil servants ingrained with New Labour attitudes of mind.

I fear things will get worse before they get better. Ministers need to seize the opportunity of the Olympic lockdown to set Local Government free to make progress while their officials are at home wrestling with trying to domestic quality broadband for business tele-conferencing or watching Beach Volleyball next to Whitehall. If not, broadband roll-out and economic recovery (which across much of the UK now depends world-class access to global business networks) on will be delayed another six months - with little sign of recovery before the next election.

Can we still afford to leave this to BT if their bid against Sky for sporting rights shows their true investment priorities - as an integrated provider of entertainment rather than as an
infratructure utility. The stock market reaction, marking down BT as well as Sky , shows their 
view of the deal: "investing" in fruther subsidising the salaries and transfer fees of Premier League footballers instead of improving and extending broadband infra-structure to sell to Sky before the latter does a Vodafone, buying into a terrestrial network to cut its payments to BT.

The Commission has just issued a Draft Regulation on "electronic identification and trust services  for electronic services in the internal market".  

Practical Law summarised the proposal as follows: " The Regulation will replace the existing Electronic Signatures Directive (1999/93/EC), but will re-enact a number of the Directive's provisions. The aim is to enhance the previous legislation and to expand it to cover the mutual recognition and acceptance at EU level of notified electronic identification schemes and other related electronic trust services, such as the provision of electronic seals, time stamping, electronic document acceptability, electronic delivery and website authentication.

The Regulation will require mutual recognition between various national electronic identity systems, with the aim of making existing electronic identities functional across EU borders. One key proposal is that a member state participating in an electronic identification scheme will be liable for the correctness of its identification data.

On an initial assessment of the draft Regulation, it is difficult to see how more detailed and extensive framework proposals will promote greater use of digital trust services, given the fact that that interested parties have been free to take advantage of various technical solutions available on the market for some time, but have not done so"

It is not clear who was actually involved in the "extensive consultation" claimed in the preamble to the draft  but the removal of government immunity from liability for error may lie behind current attempts to build UK ID policy round privately issued electronic identities. But , HMG appears unable to force us to pay for electronic identities when we contact it to pay tax or claim benefit. Therefore those bidding to supply ID services for the DWP Universal Credits system will have no guarantee of business because, without controversial primary legislation, there will have to be a bypass routine for those who do not wish to use their services 

This directive also needs to be scrutinised in the context of a whole series of overlapping EU regulatory initiatives (including on Data Protection, Payments and Ubiquitous Computing) as well as the impending global fight between ITU and ICANN over Internet addressing and the transition from IPV4 (dynamic address re-use, supposed  anonymity and crumbling security) and IPV6 (with the potential for locked down device level identities and security fit for the Internet of things when everything is on-line). 

The scrapping of the Communications Green Paper in favour of a seminar programme into the issues to be covered in a White Paper indicates that the DCMS is readying itself for the loss of its technology and infrastructure related roles after the Olympics. As I indicated in my previous blog , DCMS is focussed on the intra-UK issues of the past. Ian Grant says that DCMS does not get it . At one level he is correct. But they have different priorities after the public victory of those who have used the Leveson enquiry to see off the threat that an integrated and aggressive Sky operation might have presented to dominance of both the BBC and BT. If you subtract the phone hacking scandal and add competition from ubiquitous broadband players like Vodafone (including Cable and Wireless) and Telefonica (O2 in the UK), we might even have had genuinely competitive world-class markets for infrastructure and content carriage by this time next year.

Given that the dead hands of the BDUK frameworks and of Spectrum policy are also holding back the scale and nature of private sector communications investment that is needed for a future of ubiquitous broadband supporting smart cities, infrastructures, social and health care, the sooner these are moved out of DCMS the better.

That is still, however, too myopic a vision. As I said in my last blog, we need to look at the issues in the context of the global fight for control over inter-operability standards (and the world of IPV6) between ITU and the agglomeration of Western organisations (ICANN, IETF, W3C et al) who turned the addressing routines for a pilot packet switched service (Arpanet and IPV4) into the basis of a global critical infrastructure after the ITU fouled up over X25.

In that context DCMS is not alone in displaying all the strategic vision and co-ordination of the rules of the Middle East and of Europe when they were faced by the Mongols: capable of advancing at 60 miles a day, co-ordinated by Yam messengers travelling at over twice that speed. The Olympic summer offers a great opportunity for those who are not sport obsessives to take a good look at what needs to be done.

P.S. I enjoyed the Media cover of the Jubilee Regatta.  I had been watching the Sky stream covering the assembly of the boats on my PC and knew what was about to come when I went downstairs to watch the BBC cover - assuming it would be better. Then I was faced by talking heads who were going to blot out what I had been looking forward to watching. So we switched over. I am told that the BBC camera work was indeed better, when you were allowed to watch it, but it appears the BBC has also lost the plot. Maybe it is the air in Manchester.



  

This week saw a valiant attempt by the Internet Society to regain the initiative on IPV6 from the ITU whose committees have been setting the pace on the standards of the future on behalf of those, like the Chinese, who need not only the additional addressing capability but also the added functionality and security for a world of ubiquitous high speed broadband. The news cover is narrowly techie or luke warm 

Is ISOC too late, given the way that "vulnerability exploitation" tools like Flame are being used to exploit the weaknesses of the higgledy-piggledy "security" overlays necessitated by the address limitations of IPV4? Do ISOC, ICANN and the Internet Governance Forum still have the political backing necessary to see off the ITU and win the coming cyberwar ?

Given the failure of the EU and UK (DCMS, BIS et al) to take IPV6 seriously and given their failure to distinguish between electronic addresses, electronic identities and electronic signatures  I fear not. The latest plans for a European "regulation" on electronic identities appears sympomatic of a fundamental failure of vision. They are at arms length from the Commission's bid to also regulate the Internet of Things . Meanwhile the DCMS has kicked the overdue Communications Green Paper into touch, launching instead a series of seminars to discuss the issues of the past while those of the future, including the City of Things  are determined elsewhere. I fear that, on current form, "elsewhere" may well be an unreformed ITU.  

At first sight the ippr report on Open Justice looks attractive. But consider the recommendations in the context of the current lack of security of the systems that will be opened to view and of the technologies that will be used to access them. Yesterday I blogged on the coming fight for control over the Internet between non-Western Governments (via the ITU) and the global cartel of Internet Service Providers (via ICANN and Internet Governance Forum).

Today I had been going to blog on the need to carry forward the work started by EURIM over a year ago to unravel the confusion between Electronic Identities and Digital Signatures.

International law has been clear for over a century on the status of "Ben Bones his mark": whether it is a smudged thumbprint, a squiggly cross or a signature written in ink, blood or analogue or digital electronic pulses. But we now have a morass of initiatives, industry and government, which muddy rather than clarify the issues.        

Then ippr raised the debate over Open Data to a new level of absurdity. Once again we need to refer back to the work done by EURIM over recent years on the issues that have to be addressed before the wet dreams of the enthusiasts turn into Dark Nightmares. 

The titles of the sunmmaries of some of the EURIM studies say it all:

From Toxic Liability to Strategic Asset: Unlocking the Value of Information

Improving the Evidence Base: the Quality of Information

and

Can Society afford to rely on Security by Afterthought not Design

As well reported in the Guardian , my successor as Secretary General, Dr Edward Phelps, has echoed my own support  for the ideals of Open Government while emphasising the need to improve the professionalism of those managing the process.

The harm done by over-enthusiastic amateurs can be every bit as great as that done by pseudo-professionals who conceal their ignorance and lack of genuine training and experience in cloaks of confidentiality.

The first integrated study to take a look at the potential benefits from the application of IT to police and justice systems was done in the mid-1970s. I may still have a copy in my files somewhere.  At the technical level it was very much more impressive than the study I led on the Computing needs of the re-organised Water Industry at the same time. But it had far less impact on subsequent developments because it failed to take account of the politics of implementation. The biggest weakness of the ippr exercise is that it fails to take account of the sophistication of those who make a very good living from corrupting our law enforcement and criminal justice systems.

A Chairman  of the Conservative Technology Forum  I applaud the breadth of vision. As a former Information Systems professional I deplore the lack of insight. 

Vanity Fair recently published a thought provoking article in which the planned ITU World Conference on International Telecommunications was seen as the start of World War 3: the fight for control of the Internet.

The current Internet governance regime (which I have called "a Cartel masquerading as anarchy" ) came about largely because the ITU gave up after the failure of X25 to provide effective standards for any-to-any packet switched communications. It left vacant the role of providing  an umbrella organisation for these to be developed and implemented. The vacuum was filled by a motley collection of self-appointed, semi-academic or US government groups such as the Internet Engineering Task Force, WC3 and ICANN.  

We are now living with the consequences. 

The Vanity Fair article takes a US-centric view and considers these in the context of SOPA , PIPA and the problems that 20^th Century American lawyers and lobbyists created, when they turned Intellectual Property Rights from mechanisms to encourage, foster and protect creativity and innovation into a Wild West style "race to stake the land claim" followed by a legal gravy train in which law firms and collecting agencies commonly trouser considerably more in fees than R&D labs, authors or composers receive in royalties. 

The current ICANN programme to create Top level Domain names can be seen as another example of  that "first to file" mentality applied to the on-line world. No wonder so many ITU member states fear they will share the fate of the Indian Tribes of North America if they do not band together and find suitable allies.

 IPR is, however, only one of the battlefields.